Ongoing Social Engineering Campaign Refreshes Payloads

Aug. 20, 2024, 8:59 a.m.

Description

Rapid7 observed a shift in tools utilized by threat actors in an ongoing social engineering campaign. The initial lure involves an email bombing followed by calls to users offering fake solutions. Once connected remotely, threat actors deploy payloads for credential harvesting, establishing command and control, and lateral movement. Notable changes include the use of AntiSpam.exe for credential harvesting and various executables and PowerShell scripts serving as droppers, beacons, and socks proxies. The campaign also attempts to exploit CVE-2022-26923 for privilege escalation.

External References

https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-campaign-refreshes-payloads/
https://otx.alienvault.com/pulse/66c4561642cac3de1ea6abed
Tags
phishing
2024-08-20
social_engineering
remote_access
update7.exe
credential_access
update4.exe
update8.exe
update6.exe
update7.ps1
update3.exe
update2.dll
update5.dll
lateral_movement
update1.exe
antispam.exe
CVE-2022-26923

Date

  • Created: Aug. 20, 2024, 8:38 a.m.
  • Published: Aug. 20, 2024, 8:38 a.m.
  • Modified: Aug. 20, 2024, 8:59 a.m.

Indicators

  • fcf59559731574c845e42cd414359067e73fca108878af3ace99df779d48cbc3
  • fb4fa180a0eee68c06c85e1e755f423a64aa92a3ec6cf76912606ac253973506
  • ed062c189419bca7d8c816bcdb1a150c7ca7dd1ad6e30e1f46fae0c10ab062ef
  • dc5c9310a2e6297caa4304002cdfb6fbf7d6384ddbd58574f77a411f936fab0b
  • d512bf205fb9d1c429a7f11f3b720c74680ea88b62dda83372be8f0de1073a08
  • cff5c6694d8925a12ce13a85e969bd468e28313af2fb46797bdcf77092012732
  • ce1f44a677d9b7d1d62373175f5583d9e8c04e16ebd94656e21aa296e00e93d7
  • ccaa8c8b39cb4a4de4944200936bcd4796367c16421a89e6a7d5476ae2da78cd
  • cb03b206d63be966ddffa7a2115ea99f9fec50d351dce03dff1240bb073b5b50
  • b92cf617a952f0dd2c011d30d8532d895c0cfbfd9556f7595f5b220e99d14d64
  • ac22ab152ed2e4e7b4cd1fc3025b58cbcd8d3d3ae3dbc447223dd4eabb17c45c
  • ab3daec39332ddeeba64a2f1916e6336a36ffcc751554954511121bd699b0caa
  • ab1f101f6cd7c0cffc65df720b92bc8272f82a1e13f207dff21caaff7675029f
  • 9ed2b4d88b263f5078003ef35654ed5c205ac2f2c0e9225d4cdb4c24a5ea9af2
  • 9dc809b2e5fbf38fa01530609ca7b608e2e61bd713145f84cf22c68809aec372
  • 9c1e0c8c5b9b9fe9d0aa533fb7d9d1b57db98fd70c4f66a26a3ed9e06ac132a7
  • 949faad2c2401eb854b9c32a6bb6e514ad075e5cbe96154c172f5f6628af43ed
  • 7d96ec8b72015515c4e0b5a1ae6c799801cf7b86861ade0298a372c7ced5fd93
  • 24b6ddd3028c28d0a13da0354333d19cbc8fd12d4351f083c8cb3a93ec3ae793
  • 1ade6a15ebcbe8cb9bda1e232d7e4111b808fd4128e0d5db15bfafafc3ec7b8e
  • 91.196.70.160
  • 91.142.74.28
  • 77.238.250.123
  • 77.238.245.233
  • 77.238.229.63
  • 77.238.224.56
  • 45.155.249.97
  • 37.221.126.202
  • 217.15.175.191
  • 195.2.70.38
  • 191.142.74.28
  • http://91.196.70.160:443
  • strwawrunnygjwu.shop
  • spamicrosoft.com
  • richardflorespoew.shop
  • raiseboltskdlwpow.shop
  • preservedmoment.com
  • marathonbeedksow.shop
  • pleasurenarrowsdla.shop
  • justifycanddidatewd.shop
  • halagifts.com
  • falseaudiencekd.shop
  • feighminoritsjda.shop
Download all indicators here!

Attack Patterns

  • update8.exe
  • update7.ps1
  • update7.exe
  • update6.exe
  • update5.dll
  • update4.exe
  • update3.exe
  • update2.dll
  • update1.exe
  • AntiSpam.exe

Linked vulnerabilities

CVE-2022-26923

None
Published: